Reputation: 1047
IPsec in practice in Java
I am looking into securing network communications (UDP and TCP). It is looking like 'use IPSec' is a good solution. I know this is implemented at a lower level, and the application does not need to see it. However I want my Java application to be secure, and to know that it is secure.
So in practice, what do I have to do to use IPSec in a Java application? Do I still use DatagramSocket/ java.net.Socket.Socket? Is there something I need to do with System.getSecurityManager()? Do I have to do configuration at the OS (windows XP talking to an Amazon cloud) level?
At some point I will need to check/provide security credentials. How is that done?
I have done a fair amount of googling, and have seen at the network layer how it works. But I have not found anything along the lines of sample application code that takes advantage of IPSec.
Has anyone done this?
Thanks!
Upvotes: 2
Views: 7271
Answers (3)
Reputation: 9696
To expand on older answers: Suppose that, having to set up IPSec between two endpoints, we want to know if it's in place. If IPSec encryption is happening, it may be the best solution (hardware encryption, keys shared centrally with other services on the machine), but if IPSec encryption isn't being applied, we'd better abort the connection or use application-protocol-level encryption before sending sensitive data.
Unfortunately, there is no standard API for detecting IPSec on a socket (and any Java for doing this is going to have to interface with the native system calls). Further, note that IPSec may be applied by a router somewhere along the route, transparently, so it's only possible to detect it if it's being applied by the OS kernel.
APIs:
- WSAQuerySocketSecurity
- setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, &opts) since Solaris 8 (great tutorial here)
- Shockingly completely(?) undocumented IP_IPSEC_POLICY on linux
- Well documented IP_IPSEC_POLICY on FreeBSD and MacOS (using the well-established KAME implementation). Search for examples in /usr/src.
Upvotes: 1
Reputation: 1047
Ok, I have found the info I was looking for. Maybe the question didnt make it exactly clear what I wanted, but this is what I found:
IPSec needs to be configured on the operating system (to over simplify). You set up a connection between the two machines, and let them go at it. You know you have a secure connection, because you only allow secure connections on that machine. If you did not have IPSec configured it would not be secure, so you just need to make sure that you do.
Security can be a shared secret, or an X509 Certificate
And some useful how tos:
For linux http://www.ipsec-howto.org/x304.html
For Windows: http://www.elandsys.com/resources/ipsec/wincert.html
Upvotes: 2
Reputation: 339975
You can't do it - like you said it's at a lower level - much lower!
Is there any particular reason why "use SSL" isn't a good solution?
Upvotes: 1
Related Questions
- difference between IP security issue in authentication, data encryption, and message integration?
- Secure communications between Java server and Arduino clients: need a suggestion
- Java networking?
- Java Securing network traffic
- writing secure clients in Java
- IP encryption using Java
- Secure TCP Connections in Java
- network communication encryption in java
- Secure connection between client and server
- Reliable non-network IPC in Java